Through my reading about the generation of one-time password (OTP) I found that there are many algorithms that generate OTP and they are either based on time such as TOTP or based on mathematical computation such as HOTP and S/Key.

The problem is they do not depend on some parameters to generate OTP.

What I would like to know is which one I can use to generate OTP using hash function and some session tokens (IP address, etc.). These tokens will be used as parameters of the hash function. Of course, I would prefer options that are secure and hard to break.

Hum, could be easier if instead of saying the solution you're considering, you tell us what is your problem and then the solution you're thiking about, and problems you have with it...
–
woliveirajrFeb 24 '12 at 15:32

1 Answer
1

It sounds like you're trying to improve the security of OTP schemes by adding extra "random-ish" data. My answer will address that, please update your question if that is a wrong interpretation.

These schemes don't literally have multiple inputs that you could feed this extra data into, but you don't need them to. For example, with HOTP the security of the function lies in the secret key. If it's strong, you have nothing to gain by incorporating outside data like IP addresses that are neither random nor private.

It sounds like the problem is that you don't trust the key to be secure and you want to augment the security by throwing in a variety of other factors. But instead, just focus on generating a good key. Instead of having your OTP scheme take input from a variety of sources, you should have your key generation take input from a variety of entropy sources. All of your entropy, which might include things like network addresses, is then mixed together in one step, used to generate a key in another step, and then the key is finally plugged into an existing OTP scheme. Then your OTPs will be dependent on some of the data that you mention here.

Wouldn't a OTP protocol using IP address help security (albeit being more difficult to use)? For example, TOTP still have a weakness if somebody is looking over your shoulder, typing the same one time password, and trying to beat you in pressing "enter" first. If OTP generated was function of IP address (in addition to secret), such an attack would be way much harder (as attacker would need to takeover your IP in timeframe between last character and before enter, and before TOTP expires)
–
Matija NalisOct 19 '14 at 19:21